New day! New problem!

Actually there was no problem today; I just finalized my other plan in order to provide a better service for the company customers. In our network we provide two major services, first, dial-up internet access, second, POP3 e-mail.

Currently, users from outside can connect to our dial-up lines which are low quality analogue PSTN lines; we already have internet access on new digital E1 lines but e-mail users still using the old service. It’s been long time that I have this idea in my mind to move them all using new digital lines instead of those old lines. I had a design, today I made it.

Yesterday, I installed my last Firewall/Webcache which prepared with FreeBSD, pf Firewall and SQUID web cache and I decided to use them to let our e-mail users to login to the same network access server without having access to internet, I needed a private IP range to assign it to mail users so first of all I added a new IP pool to their group in range 10.0.0.0/8 then enable NATting on my firewall on one interface, its a little bit strange to do NAT on one interface having routing and firewalling, looks like a messy job, I add an alias on that interface and made an internal network with no route to outside.

Well, this internal network was between my web server, name server and mail server. They were supposed to be on that network as well as the public network, because users were going to access them through 10.0.0.0/8 network. You may ask why I had to do NATting when all users and our network are at the same IP range and physical network. I was thinking like this, I mean I didn’t add IP alias to any of my servers; I just tried to use only NATting.

As you can see users are supposed to access the other servers through Proxy/Firewall, because DNS server resolves names with public IPs so I had to use NATting to give them access to Intranet servers, I tested the setting from LAN, I set my computer IP in B.0.0.0/8 network and the gateway was B.0.0.1/8. I worked, I thought that its possible for Dial-up users which connect to the access server to be able to do same, So I tried it with dial-up, it didn’t work! After an hour of investigating TCP/IP packets and traffic, I found a strange thing, I found my packets go through Firewall and NATted correctly but when they come back from servers they look for B.0.0.0/8 network to reach originating address, I couldn’t find the reason and I just tried different ways to see the differences, the only way that I found was to add an alias IP address for servers interfaces in B.0.0.0/8 range. Now, servers are accessible from their public addresses, through LAN and Dial-up. But still I’m thinking how its possible!